The biggest threat to an organisation’s cyber-security comes from within, according to a growing body of evidence. Employees are frequently putting their companies at risk of hacking by sharing their passwords, using public WiFi networks to send sensitive information, or not protecting the privacy of social media accounts.

But there’s another threat that at first seems innocuous and that we’re all probably guilty of, something that researchers have dubbed “cyberloafing”. My research group’s new study shows this practice of using work computers for personal internet browsing can become a serious security threat to a company when it goes too far.

Most companies accept that their employees will occasionally check social media or send personal emails from work computers. But in some cases things can get more serious, with people people spending significant amounts of time updating their own websites, watching videos or even pornography. Early estimates suggested that 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work.

This can have a big impact on a company’s productivity, with research suggesting that employees each waste an average of 2.09 hours a day while cyberloafing. But our new study also shows that the more employees engage in serious cyberloafing, the less likely they are to follow the rules and protocols designed to protect the company’s IT systems, and the bigger threat they become to cyber-security.

We asked 338 part-time and full-time workers aged 26-65 about their cyberloafing habits, their knowledge of information security, and behaviour that could indicate internet addiction. Those who cyberloafed more often knew less about information security. And those who engaged in more serious cyberloafing (such as updating personal websites, visiting dating websites or downloading illegal files) had significantly poorer cyber-security awareness.

Typically, people undertaking more serious cyberloafing were less aware of how to stay safe online and how to protect sensitive information. One reason for this could be that they are so determined to get online they don’t want to pay attention to information about online safety and ignore the risks. On they other hand, they may believe their companies can protect themselves from anything that might happen as a result of risky behaviour.

Those in our survey who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols. And those who were serious cyberloafers and potential internet addicts were the greatest risk of all.

As I explain in my recent book Cybercognition, internet addiction is a compulsion to get online, sometimes with the aim of fuelling other addictions to digital activities such as online gambling or shopping. Critically, the drive to get online can be the same as any physical addiction, so the internet acts like a drug for some people.

This means people who show aspects of internet addiction may be more determined to get online at any costs and more likely to try to get around security protocols or ignore advice about online safety. They may think they know better because they spend so much time online. Or they may not fully understand the risks because they are so absorbed in the online world.

How to tackle cyberloafing

All of this doesn’t mean we should cut off all internet access for employees. Being able to surf the internet is an important part of some people’s work. But excessive use of internet services and work IT systems can put companies at risk, particularly when people are accessing risky websites or downloading programmes from unknown sources.

There are a number of things companies can do to help mitigate the risks from excessive cyberloafing. As we suggest in our study’s conclusion, some organisations may apply very strict penalties for serious rule breaking. But providing effective training that empowers employees to identify aspects of internet abuse and seek help could be a more effective management tool. Helping workers understand the risks of their actions might be more beneficial, particularly where these are communicated through focus groups and talks.

But one thing companies should avoid (and all too often don’t) is simply sending out an email reminder. Research shows that messages about the potential risks to information security sent via email are the least effective. And if you’re deep into a cyberloafing session, an email will be just another corporate message lost in an overloaded inbox.

Lee Hadlington does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Disclaimer: EconoTimes provides references and links to selected blogs and other sources of economic and market information as an educational service to its clients and prospects and does not endorse the opinions or recommendations of the blogs or other sources of information. Clients and prospects are advised to carefully consider the opinions and analysis offered in the blogs or other information sources in the context of the client or prospect's individual analysis and decision making. None of the blogs or other sources of information is to be considered as constituting a track record. Past performance is no guarantee of future results and EconoTimes specifically advises clients and prospects to carefully review all claims and representations made by advisors, bloggers, money managers and system vendors before investing any funds or opening an account with any Brokerage. Any news, opinions, research, data, or other information contained within this website is provided as general market commentary and does not constitute investment or trading advice. EconoTimes expressly disclaims any liability for any lost principal or profits without limitation which may arise directly or indirectly from the use of or reliance on such information. As with all such advisory services, past results are never a guarantee of future results.

Welcome to EconoTimes

Sign up for daily updates for the most important
stories unfolding in the global economy.